Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Leaky Database of SMS Text Messages Exposed Password Resets and Two-Factor Codes (techcrunch.com)

Posted by msmash on from the security-woes dept.

A database which contained millions of text messages used to authenticate users signing into websites was left exposed to the internet without a password. From the report: The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn't protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages. For Sebastien Kaul, a Berlin-based security researcher, it didn't take long to find. Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox's own subdomains. Worse, the database -- running on Amazon's Elasticsearch -- was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.

15 of 37 comments (clear)

  1. Re: Hostile by Anonymous Coward · · Score: 1

    Yep, just your imagination.

    Bitch.

  2. Re:Hostile by Immerman · · Score: 1

    I've had that impression as well. Perhaps the recent election results have stirred up the trolls?

    --
    --- Most topics have many sides worth arguing, allow me to take one opposite you.
  3. Re:Dear Slashdot Users by noodlesup · · Score: 2

    Brian Krebs' blog is always a good read https://krebsonsecurity.com/

  4. Re: need better penalties by sakono · · Score: 1

    Gross domestic profit? I mean we could go with full global profit of the company that works too. What the hell did you think I meant with GDP?

  5. Re:Hostile by CaptainDork · · Score: 1

    It's not the last week or so.

    The Troll Index (Troll/Relevant) fluctuated around a mean average for years.

    Even after Trump was elected, the trend was steady-state.

    Then, as the administration started pissing off its base, especially with the trade wars, anti-Trump spammers became more active.

    Though the Troll Index on /. remained nominally flat during the Obama administration, those who voted him in were disappointed more than once, and that level of dissatisfaction floated up gently til the end of that administration, but not to the point that /. was affected very much.

    Trolls are the cow patties of a pleasant meadow where great minds come to mingle.

    The patties, of late, are just taller.

    --
    It little behooves the best of us to comment on the rest of us.
  6. Re: need better penalties by Nidi62 · · Score: 1

    What kind of company has a GDP?

    It's only a matter of time before you get Fiji Apple or Amazon Brazil. They'll have to do something with their endless pools of cash.

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  7. And? Who goes to prison? by gweihir · · Score: 2

    Nobody? Then this is obviously perfectly acceptable and even negligence this extremely gross is not anything to worry about.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re: And? Who goes to prison? by gweihir · · Score: 1

      Ah, the tried and true failure of "shooting the messenger". Yes, I can see that happening.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:And? Who goes to prison? by scamper_22 · · Score: 2

      That's really looking at the problem in retrospect. We have dealt with quality of infrastructure for a long time in the developed world.

      What you need are licensed people for such areas; especially things that are open to the public.

      You're not building a bridge without a proper license.
      You're not building a high rise without a proper license. ...

      Sure, you can do some stuff on your own with basic home repair or a shed.

      With licensing, then you have a case for negligence.

      Yes, I really do think you should need a license to put up a public website that holds personally data.

    3. Re:And? Who goes to prison? by gweihir · · Score: 1

      I tend to agree. While I do not like the idea of licencing, it seems we cannot get the incompetent morons to stop messing with stuff where it hurts other in any other way.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  8. It's SMS for Pete's sake! by Anonymous Coward · · Score: 1

    How is a set of data intended for a protocol that is insecure by design being "leaky" or a security risk?

    Of course you're going to find reset links and 2fa codes there. Thats why those process are(or should be) time bound ...

    This is about as surprising as finding Jenny's number on the bathroom wall.

    1. Re:It's SMS for Pete's sake! by hoggoth · · Score: 1

      I fail to see why this breach is news at all. It's all reset codes that expired minutes after they were used. This isn't sensitive data.

      --
      - For the complete works of Shakespeare: cat /dev/random (may take some time)
  9. Re:Hostile by novakyu · · Score: 1

    I blame the ACs.

  10. Re:Hostile by CaptainDork · · Score: 1

    Well, to be clear, I was not referring to you.

    --
    It little behooves the best of us to comment on the rest of us.
  11. So what? by quenda · · Score: 1

    I get passwords and 2-factor codes all the time, but they are valid only for one top a few minutes.
    Who would be stupid enough to send long-term passwords by such an insecure medium as SMS? It is barely better than email.
    Maybe worse, as it is easier to hijack someones phone number than their domain or email address.

    If this leak has exposed them to public scrutiny, perhaps it is a good thing!

    Unless you are able to see the text messages in realtime, no harm done.